Skip to main content
Revy's Tech Journey, powered by Revtek
Back to Study
A+ Core 2 · CompTIA 220-1202 V15 · Objective C2-2.2

Given a scenario, configure and apply basic Microsoft Windows OS security settings

Drill flashcardsFocused quizBrowse all objectives (sidebar view)

Objective 2.2: Given a scenario, configure and apply basic Microsoft Windows OS security settings

Cert: CompTIA A+ Core 2 (220-1202) V15 Domain: 2.0 Security Weight: Part of the 28% Security domain Depth: Given a scenario, configure. The candidate must apply Windows security settings including Defender, firewall, accounts, login options, NTFS permissions, UAC, BitLocker, EFS, and Active Directory configurations.

What this objective tests

You should know how to configure Windows Defender, Windows Firewall, user accounts, login methods, NTFS vs share permissions, UAC, BitLocker/EFS encryption, and Active Directory join settings.

Key facts

Defender Antivirus activate/deactivate:

  • Built-in real-time antivirus. On by default.
  • Disable when a third-party AV is installed (Windows hands off automatically) or for specific testing scenarios.
  • Found in Windows Security > Virus & threat protection.

Defender update definitions:

  • Signature updates auto-pull via Windows Update. Manual update: Windows Security > Virus & threat protection updates > Check for updates.

Firewall activate/deactivate:

  • Windows Defender Firewall, per network profile (Domain, Private, Public).
  • Disable only with intent. Most issues should be fixed by allowing the specific app, not turning off the firewall.

Port security (firewall):

  • Block or allow specific TCP/UDP ports inbound or outbound.
  • Configure in Windows Defender Firewall with Advanced Security (wf.msc) > Inbound Rules / Outbound Rules.

Application security (firewall):

  • Per-app rules. "Allow an app through Windows Defender Firewall" or create custom Advanced Security rules tied to a specific executable.

Local user account:

  • Account that lives only on this PC. Created in Settings or via net user username password /add.

Microsoft account:

  • Account tied to Microsoft cloud identity. Syncs settings, ties into OneDrive, Microsoft Store, etc.
  • Windows 11 Home requires a Microsoft account for initial setup.

Standard account:

  • Default user type. Can run apps and access user files. Cannot install software system-wide or change system settings without elevation.

Administrator:

  • Full control over the PC. Can install software, change system settings, access all files (with confirmation).
  • Should be the exception, not the default.

Guest user:

  • Legacy account for one-off limited use. Disabled by default in modern Windows. Don't enable.

Power user:

  • Legacy account type from Windows XP. Modern Windows treats Power Users like Standard Users with minor differences. Largely obsolete.

Username and password (login):

  • The basic login method.

Personal identification number (PIN, Windows Hello PIN):

  • Local PIN tied to the device. Replaces password for login. Can include letters and symbols if "Include letters and symbols" is enabled.
  • More secure than password because the PIN can't be used to authenticate anywhere else.

Fingerprint:

  • Biometric login via fingerprint reader. Part of Windows Hello.

Facial recognition:

  • Biometric login via IR camera. Part of Windows Hello.

SSO (Single Sign-On):

  • Sign in once to Windows, automatically authenticate to other services.

Passwordless / Windows Hello:

  • Login with PIN, fingerprint, face, or security key instead of password.
  • The PIN is tied to the device and uses TPM-backed key storage; cracking the PIN doesn't give the attacker your password.

NTFS permissions:

  • Per-user/group permissions on files and folders. Apply locally and across the network when accessed via share.
  • Full Control, Modify, Read & Execute, List Folder Contents, Read, Write.

Share permissions:

  • Per-user/group permissions on a network share. Apply only over the network.
  • Read, Change, Full Control.

NTFS vs share permissions (combined):

  • When accessing a share over the network, the most restrictive of NTFS and share permissions wins.
  • Common practice: set share permissions to Everyone = Full Control, then control access via NTFS permissions (single point of management).

File and folder attributes:

  • Read-only, Hidden, System, Archive. Affect visibility and behavior but aren't permissions.

Inheritance:

  • Subfolders inherit parent folder permissions by default.
  • Break inheritance to customize permissions on a specific subfolder (Properties > Security > Advanced > Disable inheritance).

Run as administrator vs standard user:

  • Right-click an app > Run as administrator runs it with elevated privileges (UAC prompt).
  • Most apps don't need admin. Run elevated only when the task requires it (installer, system config tool).

User Account Control (UAC):

  • Prompts the user (or asks for credentials) when an app requests admin privileges.
  • Four levels in Control Panel > User Account Control Settings: Always notify, Notify when apps try (default), Notify when apps try (don't dim), Never notify.
  • Don't set to Never notify; it disables a meaningful security layer.

BitLocker:

  • Full-disk encryption (covered in 1.3). Pro+ edition required.
  • Uses TPM 2.0 to seal the encryption key to the hardware. Recovery key needed for moves between PCs or TPM resets.
  • Enable: Control Panel > BitLocker Drive Encryption.

BitLocker To Go:

  • BitLocker for removable drives (USB, external HDD).
  • Password-based unlock; can be used cross-PC.

Encrypting File System (EFS):

  • File/folder-level encryption tied to a user's certificate.
  • Right-click file/folder > Properties > Advanced > Encrypt contents.
  • Different from BitLocker (BitLocker = whole drive; EFS = specific files). EFS keys can be lost if certificate is deleted.

Active Directory joining domain:

  • Connect a PC to an AD domain. Settings > Accounts > Access work or school > Connect > Join this device to a local Active Directory domain.
  • Pro+ edition required.

Assigning login script:

  • Configure a script (.bat, .ps1) that runs at user login. Used to map drives, install printers, set environment.
  • Assign in AD Users and Computers > User properties > Profile tab.

Moving objects within organizational units (OUs):

  • AD organizes users and computers into OUs. Move objects between OUs in Active Directory Users and Computers.
  • OU placement affects Group Policy application (policies linked to OUs apply to objects in them).

Assigning home folders:

  • Network folder set as the user's home directory. Roams across PCs.
  • Configure in AD Users and Computers > User properties > Profile tab.

Applying Group Policy:

  • Policies linked to domains, sites, or OUs apply to users and computers in scope.
  • Refresh with gpupdate /force. Verify with gpresult /r.

Selecting security groups:

  • Add users to security groups in AD. Permissions are assigned to groups, not individuals (manageability at scale).

Configuring folder redirection:

  • Redirect user folders (Desktop, Documents, Pictures) to a network share via Group Policy.
  • User's data follows them between PCs without roaming profiles.

Common gotchas

  • Share permissions Everyone Full Control + NTFS too permissive. Effective permission ends up matching the looser one if you think share permissions are the only gate. They're not; NTFS still applies.
  • Disabling UAC entirely. Every app runs elevated silently. Whole category of malware no longer warns you.
  • Forgetting to refresh Group Policy after changes. Changes don't apply until next refresh (90 minutes default) or gpupdate /force.
  • BitLocker enabled without recovery key escrow. If TPM resets or the drive moves, you can't decrypt without the recovery key.
  • EFS certificate lost. EFS-encrypted files become unrecoverable if the user's certificate is gone.
  • Local admin account in production. Every helpdesk shop has the story of "we shared the local admin password across the company." Don't.

Real-world context

Baseline Windows security config for an office PC:

  1. Domain join (Pro+).
  2. Standard user account for the user, separate admin account for IT.
  3. UAC at default level.
  4. Windows Defender Firewall on, Domain profile active.
  5. BitLocker enabled, recovery key escrowed to AD or Microsoft account.
  6. Windows Defender (or chosen AV) active and up to date.
  7. Windows Hello PIN configured (with biometric if hardware supports).
  8. Group Policy applies organizational settings.
  9. Login script (or GPO) maps drives.
  10. Folder redirection for user data (if applicable).

Sources

  • [CompTIA A+ 220-1202 Exam Objectives Version 4.0, Section 2.2](../../../../../../30-RevyTechJourney/CompTIA%20A%2B%20220-1202%20Exam%20Objectives%20%284.0%29.pdf)
  • [Microsoft Learn: Windows Defender Antivirus](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)
  • [Microsoft Learn: BitLocker](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/)
  • [Microsoft Learn: NTFS permissions](https://learn.microsoft.com/en-us/windows-server/identity/solution-guides/manage--permissions-for-file-and-folder)
  • [Microsoft Learn: User Account Control](https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview)